SlideShare a Scribd company logo
1 of 25
Download to read offline
© FIDO Alliance 2024 Confidential
1
THALES GROUP LIMITED DISTRIBUTION - SCOPE
THALES GROUP LIMITED DISTRIBUTION - SCOPE
© FIDO Alliance 2024 Confidential
1
The Fit for Passkeys
for Employee
and Consumer Sign-ins
Gregory Vigroux & Pedro Martinez, Thales
2
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
WHY?
Organizations interact with users through digital services
PASSWORDS EVERYWHERE
Diverse IT
Diverse users
B2B
Business partners
Suppliers
Extended workforce
B2E
Office employees
Frontline workers
Gig workers
B2C
Consumers
Non-regulated and
regulated
Diverse
channels
Digital
user journey
SIGN UP LOG IN USE LEAVE
One inconvenient Truth:
GET RID OF PASSWORDS
One common Goal:
3
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
From PASSWORDS to LESS PASSWORDS to PASSWORDLESS
PASSKEYS will kill
PASSWORDS
> It is inevitable,
> It has already started
> It will happen fast
Image © Apple: developer.apple.com/passkeys/
4
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
> Biometrics vs typing
> Nothing to remember, renew,
reset, re-enrol
UX
> Passkeys are immune to:
Security
Phishing
Data leaks
> More user engagement
- Faster logins, better UX, less
abandonment
> Less Costs
- 20-50% of all helpdesk calls are for
password reset*
- $70 is the average cost of a
password reset helpdesk call**
*Source: Gartner
**Source: Forrester
ROI
The many benefits of passkeys
5
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
All main mobile and computer platforms and browsers already
support passkeys natively
THROUGH EVERY MAJOR WEB BROWSER
ON EVERY PLATFORM
All trademarks, logos and brand names are the property of their respective owners.
6
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
3 types of authenticators (relying party POV)
OS
platforms
Mobile
apps
HW
tokens
1 3
2
My Bank’s
App
SDK
7
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
1st choice authenticators for different use cases
WORKFORCE CONSUMER (Regulated industry) CONSUMER (Unregulated industry)
8
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
8
THALES GROUP LIMITED
DISTRIBUTION
Mobile Inband Authentication
Transfer
€100?
DIGIBANK
MFA
PIN or Biometrics
+
Possession
Transfer
approved
DIGIBANK
Transfer Money
Amount: €100
Account:
101.242.313
DIGIBANK
Mobile app is the channel Mobile app is the auth. device
9
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
9
THALES GROUP LIMITED
DISTRIBUTION
Out of Band Authentication
DIGIBANK
Transfer money
TRANSFER
€100
AMOUNT
101.242.313
ACCOUNT
DIGIBANK
Transaction
approved
DIGIBANK
Validate transaction on
mobile
Transfer
€100?
DIGIBANK
Out-of-
band MFA
Push notification sent to
user’s mobile device
PIN or Biometrics
+
Possession
Web service is the channel Mobile app is the auth. device
10
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
10
THALES GROUP LIMITED
DISTRIBUTION
NEW! Browser based InBand Authentication now possible
DIGIBANK
Transfer money
TRANSFER
€100
AMOUNT
101.242.313
ACCOUNT
DIGIBANK
Transaction
approved
MFA
PIN or Biometrics
+
Possession
Web service is the channel Web Service call son platform OS for FIDO
Authentication
DIGIBANK
Transfer 100€?
11
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
Synced passkeys (a.k.a. multidevice passkeys)
1. Enrolment on first device
Key pair created on device, public key
exported to FIDO server
2. Export to cloud
OS exports the private
key to the device´s OS
cloud
3. Passkey behaviour
Microsoft/Apple/Google cloud provisions the private key to
the other devices of the same user. All devices share the
same passkey.
Private Key
Public Key
iCloud Keychain
Service provider’s
Authentication Server Platform’s Cloud
12
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
Pros and cons of passkeys syncing
Enrol your passkey on one device,
use it on any* of your devices
> No need to enrol on each device
Account recovery solved, at last
> Passkeys are saved in the cloud of
Apple/Google/Microsoft
> If you loose your device, you can recover
your passkey from cloud
Pros
Security of multi device passkeys relies on
security of Google/Apple clouds
> Not completely under the
SP´s control
Can passkeys be used for SCA/MFA?
> They combine 2 authentication factors
(biometrics + possession)
> But they are
NOT uniquely bound to ONE device
Cons
13
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
2 types of passkeys for 2 different uses
Phone
Desktop
Tablet
14
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
Passkeys for passwords replacement and for SCA
UX
SECURITY
Passwords
Synced passkeys
for login
Device-bound passkeys
on Mobile app
REGULATORY COMPLIANCE / ENTERPRISE-GRADE SECURITY
LOW
ASSURANCE
AUTH
STRONG
AUTHENTICATION
Security:
UX:
Security:
UX:
Replace
passwords
Security:
UX:
Device-bound passkeys
on HW token
Security:
UX:
My Bank
SDK
© FIDO Alliance 2024 Confidential
15
THALES GROUP LIMITED DISTRIBUTION - SCOPE
THALES GROUP LIMITED DISTRIBUTION - SCOPE
The Fit for Passkeys for your
Workforce
16
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
Follow a hybrid approach to Go Passwordless
Allan Ant, Gartner IAM Summit, March 2023, “Go Passwordless Whenever You Can
Wherever You Can”
Allan Ant, Gartner IAM Summit, March 2023, “Go Passwordless Whenever
You Can Wherever You Can”
17
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
Compliance
Physical access control
From any device Digital signature
Email/file encryption
Strong authentication
Get the best of PKI and FIDO worlds & manage transition
18
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
Passkey deployment Pain Points
IDP Registration
Multiple IDPs deployed
Users are not autonomous
token revocation…
Configuration Management
How to manage FIDO device life cycle
How to manage token association
PKI to FIDO Migration
Propose devices covering both use
cases
With same level of service
Enterprises Challenges to deploy FIDO in their organization
19
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
A solution adapted to your deployment approach
Deployment
PKI to FIDO
Password to FIDO
Hybrid PKI/FIDO keys
IDP + utility tool
FIDO Keys
IDP + utility tool
Hybrid PKI/FIDO keys
IDP + CMS
FIDO Keys
IDP + CMS
Self-Service Driven Admin Driven
Control fido key life cycle
Decentralize fido key life cycle
© FIDO Alliance 2024 Confidential
20
THALES GROUP LIMITED DISTRIBUTION - SCOPE
THALES GROUP LIMITED DISTRIBUTION - SCOPE
In conclusion
21
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
Password
replacement
Thales OneWelcome Identity Platform loves Passkeys!
SCA
MFA
Platform
Mobile App
HW Tokens
Device-bound
passkeys
Synced passkeys
SECURITY
Authentication
back end
CONSUMER
WORKFORCE
22
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
Takeaway
PASSWORDS  PASSKEYS
> Passkeys are inevitable.
They will replace passwords for B2C,
at last. And Fast.
You need FIDO Authentication in your
back-end
> Thales OneWelcome Identity Platform
offers FIDO Authentication as a Service
> For low assurance (login) and for Strong
Customer Authentication (SCA)
> Self-service or admin driven fleet
management tools
Thales can help you
> To migrate from passwords to passkeys for
consumer log in
> To migrate from your legacy SCA to
FIDO/passkeys based SCA
> To adopt a hybrid PKI/ FIDO approach for
your employees
> To configure your fido keys and better
control their life cycle
1 2 3
23
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
24
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
25
OPEN
THALES GROUP LIMITED DISTRIBUTION - SCOPE
© FIDO Alliance 2024 Confidential
25
Thank you

More Related Content

Similar to The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx

Ebc collab portfolio_master
Ebc collab portfolio_masterEbc collab portfolio_master
Ebc collab portfolio_master
dakins090174
 
Duo Platform Edition Overview
Duo Platform Edition OverviewDuo Platform Edition Overview
Duo Platform Edition Overview
Natalie Hewitt
 

Similar to The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx (20)

Ebc collab portfolio_master
Ebc collab portfolio_masterEbc collab portfolio_master
Ebc collab portfolio_master
 
EMM Product Sales Deck
EMM Product Sales DeckEMM Product Sales Deck
EMM Product Sales Deck
 
How to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategyHow to successfully implement a secure mobile strategy
How to successfully implement a secure mobile strategy
 
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
TIC-TOC: VPN Is Dead; Are you Monetizing Its Replacement?
 
Case study fortune 500 final
Case study fortune 500 finalCase study fortune 500 final
Case study fortune 500 final
 
Business Considerations for Deploying FIDO Authentication
Business Considerations for Deploying FIDO AuthenticationBusiness Considerations for Deploying FIDO Authentication
Business Considerations for Deploying FIDO Authentication
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Beyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinarBeyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinar
 
2014 IoT Forum_ Fido Alliance
2014 IoT Forum_ Fido Alliance2014 IoT Forum_ Fido Alliance
2014 IoT Forum_ Fido Alliance
 
Duo Platform Edition Overview
Duo Platform Edition OverviewDuo Platform Edition Overview
Duo Platform Edition Overview
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrighton
 
_Bridging the Security and Usability Gap.pptx
_Bridging the Security and Usability Gap.pptx_Bridging the Security and Usability Gap.pptx
_Bridging the Security and Usability Gap.pptx
 
WSO2 Telco MCX
WSO2 Telco MCXWSO2 Telco MCX
WSO2 Telco MCX
 
FIDO & GSMA Mobile Connect
FIDO & GSMA Mobile ConnectFIDO & GSMA Mobile Connect
FIDO & GSMA Mobile Connect
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar  - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar  - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
 
VMworld 2013: Android in the enterprise: Understand the challenges and how to...
VMworld 2013: Android in the enterprise: Understand the challenges and how to...VMworld 2013: Android in the enterprise: Understand the challenges and how to...
VMworld 2013: Android in the enterprise: Understand the challenges and how to...
 
Secure Messaging Done Right
Secure Messaging Done RightSecure Messaging Done Right
Secure Messaging Done Right
 

More from LoriGlavin3

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
 

More from LoriGlavin3 (8)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
FIDO Securty Key UX Guidelines Webinar Sept 2022.pptx
FIDO Securty Key UX Guidelines Webinar Sept 2022.pptxFIDO Securty Key UX Guidelines Webinar Sept 2022.pptx
FIDO Securty Key UX Guidelines Webinar Sept 2022.pptx
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 

Recently uploaded (20)

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx

  • 1. © FIDO Alliance 2024 Confidential 1 THALES GROUP LIMITED DISTRIBUTION - SCOPE THALES GROUP LIMITED DISTRIBUTION - SCOPE © FIDO Alliance 2024 Confidential 1 The Fit for Passkeys for Employee and Consumer Sign-ins Gregory Vigroux & Pedro Martinez, Thales
  • 2. 2 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE WHY? Organizations interact with users through digital services PASSWORDS EVERYWHERE Diverse IT Diverse users B2B Business partners Suppliers Extended workforce B2E Office employees Frontline workers Gig workers B2C Consumers Non-regulated and regulated Diverse channels Digital user journey SIGN UP LOG IN USE LEAVE One inconvenient Truth: GET RID OF PASSWORDS One common Goal:
  • 3. 3 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE From PASSWORDS to LESS PASSWORDS to PASSWORDLESS PASSKEYS will kill PASSWORDS > It is inevitable, > It has already started > It will happen fast Image © Apple: developer.apple.com/passkeys/
  • 4. 4 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE > Biometrics vs typing > Nothing to remember, renew, reset, re-enrol UX > Passkeys are immune to: Security Phishing Data leaks > More user engagement - Faster logins, better UX, less abandonment > Less Costs - 20-50% of all helpdesk calls are for password reset* - $70 is the average cost of a password reset helpdesk call** *Source: Gartner **Source: Forrester ROI The many benefits of passkeys
  • 5. 5 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE All main mobile and computer platforms and browsers already support passkeys natively THROUGH EVERY MAJOR WEB BROWSER ON EVERY PLATFORM All trademarks, logos and brand names are the property of their respective owners.
  • 6. 6 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE 3 types of authenticators (relying party POV) OS platforms Mobile apps HW tokens 1 3 2 My Bank’s App SDK
  • 7. 7 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE 1st choice authenticators for different use cases WORKFORCE CONSUMER (Regulated industry) CONSUMER (Unregulated industry)
  • 8. 8 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE 8 THALES GROUP LIMITED DISTRIBUTION Mobile Inband Authentication Transfer €100? DIGIBANK MFA PIN or Biometrics + Possession Transfer approved DIGIBANK Transfer Money Amount: €100 Account: 101.242.313 DIGIBANK Mobile app is the channel Mobile app is the auth. device
  • 9. 9 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE 9 THALES GROUP LIMITED DISTRIBUTION Out of Band Authentication DIGIBANK Transfer money TRANSFER €100 AMOUNT 101.242.313 ACCOUNT DIGIBANK Transaction approved DIGIBANK Validate transaction on mobile Transfer €100? DIGIBANK Out-of- band MFA Push notification sent to user’s mobile device PIN or Biometrics + Possession Web service is the channel Mobile app is the auth. device
  • 10. 10 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE 10 THALES GROUP LIMITED DISTRIBUTION NEW! Browser based InBand Authentication now possible DIGIBANK Transfer money TRANSFER €100 AMOUNT 101.242.313 ACCOUNT DIGIBANK Transaction approved MFA PIN or Biometrics + Possession Web service is the channel Web Service call son platform OS for FIDO Authentication DIGIBANK Transfer 100€?
  • 11. 11 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE Synced passkeys (a.k.a. multidevice passkeys) 1. Enrolment on first device Key pair created on device, public key exported to FIDO server 2. Export to cloud OS exports the private key to the device´s OS cloud 3. Passkey behaviour Microsoft/Apple/Google cloud provisions the private key to the other devices of the same user. All devices share the same passkey. Private Key Public Key iCloud Keychain Service provider’s Authentication Server Platform’s Cloud
  • 12. 12 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE Pros and cons of passkeys syncing Enrol your passkey on one device, use it on any* of your devices > No need to enrol on each device Account recovery solved, at last > Passkeys are saved in the cloud of Apple/Google/Microsoft > If you loose your device, you can recover your passkey from cloud Pros Security of multi device passkeys relies on security of Google/Apple clouds > Not completely under the SP´s control Can passkeys be used for SCA/MFA? > They combine 2 authentication factors (biometrics + possession) > But they are NOT uniquely bound to ONE device Cons
  • 13. 13 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE 2 types of passkeys for 2 different uses Phone Desktop Tablet
  • 14. 14 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE Passkeys for passwords replacement and for SCA UX SECURITY Passwords Synced passkeys for login Device-bound passkeys on Mobile app REGULATORY COMPLIANCE / ENTERPRISE-GRADE SECURITY LOW ASSURANCE AUTH STRONG AUTHENTICATION Security: UX: Security: UX: Replace passwords Security: UX: Device-bound passkeys on HW token Security: UX: My Bank SDK
  • 15. © FIDO Alliance 2024 Confidential 15 THALES GROUP LIMITED DISTRIBUTION - SCOPE THALES GROUP LIMITED DISTRIBUTION - SCOPE The Fit for Passkeys for your Workforce
  • 16. 16 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE Follow a hybrid approach to Go Passwordless Allan Ant, Gartner IAM Summit, March 2023, “Go Passwordless Whenever You Can Wherever You Can” Allan Ant, Gartner IAM Summit, March 2023, “Go Passwordless Whenever You Can Wherever You Can”
  • 17. 17 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE Compliance Physical access control From any device Digital signature Email/file encryption Strong authentication Get the best of PKI and FIDO worlds & manage transition
  • 18. 18 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE Passkey deployment Pain Points IDP Registration Multiple IDPs deployed Users are not autonomous token revocation… Configuration Management How to manage FIDO device life cycle How to manage token association PKI to FIDO Migration Propose devices covering both use cases With same level of service Enterprises Challenges to deploy FIDO in their organization
  • 19. 19 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE A solution adapted to your deployment approach Deployment PKI to FIDO Password to FIDO Hybrid PKI/FIDO keys IDP + utility tool FIDO Keys IDP + utility tool Hybrid PKI/FIDO keys IDP + CMS FIDO Keys IDP + CMS Self-Service Driven Admin Driven Control fido key life cycle Decentralize fido key life cycle
  • 20. © FIDO Alliance 2024 Confidential 20 THALES GROUP LIMITED DISTRIBUTION - SCOPE THALES GROUP LIMITED DISTRIBUTION - SCOPE In conclusion
  • 21. 21 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE Password replacement Thales OneWelcome Identity Platform loves Passkeys! SCA MFA Platform Mobile App HW Tokens Device-bound passkeys Synced passkeys SECURITY Authentication back end CONSUMER WORKFORCE
  • 22. 22 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE Takeaway PASSWORDS  PASSKEYS > Passkeys are inevitable. They will replace passwords for B2C, at last. And Fast. You need FIDO Authentication in your back-end > Thales OneWelcome Identity Platform offers FIDO Authentication as a Service > For low assurance (login) and for Strong Customer Authentication (SCA) > Self-service or admin driven fleet management tools Thales can help you > To migrate from passwords to passkeys for consumer log in > To migrate from your legacy SCA to FIDO/passkeys based SCA > To adopt a hybrid PKI/ FIDO approach for your employees > To configure your fido keys and better control their life cycle 1 2 3
  • 23. 23 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE
  • 24. 24 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE
  • 25. 25 OPEN THALES GROUP LIMITED DISTRIBUTION - SCOPE © FIDO Alliance 2024 Confidential 25 Thank you